Skip to content

Fix: Potential Vulnerability in Cloned Function#3448

Open
tabudz wants to merge 1 commit intosonic-pi-net:devfrom
tabudz:CVE-2020-12279
Open

Fix: Potential Vulnerability in Cloned Function#3448
tabudz wants to merge 1 commit intosonic-pi-net:devfrom
tabudz:CVE-2020-12279

Conversation

@tabudz
Copy link
Copy Markdown

@tabudz tabudz commented Mar 3, 2025

Description
This PR fixes a security vulnerability in checkout_verify_paths() that was cloned from libgit2 but did not receive the security patch. The original issue was reported and fixed under libgit2/libgit2@64c612c.
This PR applies the same patch to eliminate the vulnerability.

References
https://nvd.nist.gov/vuln/detail/CVE-2020-12279
libgit2/libgit2@64c612c

@tabudz
Protect against 8.3 "short name" attacks also on Linux/macOS
f4d4fd1 
The Windows Subsystem for Linux (WSL) is getting increasingly popular,
in particular because it makes it _so_ easy to run Linux software on
Windows' files, via the auto-mounted Windows drives (`C:\` is mapped to
`/mnt/c/`, no need to set that up manually).

Unfortunately, files/directories on the Windows drives can be accessed
via their _short names_, if that feature is enabled (which it is on the
`C:` drive by default).

Which means that we have to safeguard even our Linux users against the
short name attacks.

Further, while the default options of CIFS/SMB-mounts seem to disallow
accessing files on network shares via their short names on Linux/macOS,
it _is_ possible to do so with the right options.

So let's just safe-guard against short name attacks _everywhere_.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
@samaaron
Copy link
Copy Markdown
Collaborator

samaaron commented Mar 4, 2025

Thanks for this - although it seems to mostly affect Windows users and the libgit2 in the tree isn't used on that platform in the build.

Is this not something that can be remedied by switching to a more recent rugged release?

@ethancrawford
Copy link
Copy Markdown
Collaborator

ethancrawford commented Jun 24, 2025

There doesn't appear to be a more recent rugged release yet.
@tabudz - should this be raised upstream instead on the rugged repo?

@tabudz
Copy link
Copy Markdown
Author

tabudz commented Jun 24, 2025

Thanks for the reply!

I’m using a tool that scans for vulnerable code clones, and it flagged the checkout_verify_paths() function in the vendored libgit2 here. The tool does not include the rugged repo yet so I haven't raised any concern there.

Totally understand this may not affect the current build or platform, but I thought it was worth noticing. Happy to leave it up to you whether to fix it here or wait for upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tabudz @samaaron @ethancrawford